Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

_________________________________________________________________________
GET THE FREE NATIONAL CYBER SECURITY APP FOR YOUR PHONE AND TABLET

Despite headlines, hype, and hysteria, U.S. Government rightly chooses cybersecurity guidance over regulation
The Obama Administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course in regards to cybersecurity.
The U.S. Department of Transportation and National Highway Traffic and Safety Administration (NHTSA) opted to work with industry to drive AV innovation, rather than propose regulations that could restrict such innovation, and even potentially undermine the cybersecurity of such vehicles.
DoT’s four-point policy seeks to lay “a path for the safe testing and deployment of new auto technologies” with life-preserving and resource-conserving potential for the American people. Specifically, the policy presents a model for Federal and State regulatory responsibilities, outlines NHTSA’s AV regulatory tools, and proposes new regulatory tools and statutory authorities.
In the area of safety however, the government presents a 15-Point Safety Assessment Guidance, including everything from consumer education, to data recording and privacy, to human machine interfaces, to crashworthiness, to our primary concern: vehicle cybersecurity.
Following is an excerpt from the policy document’s guidance:
“While [cybersecurity] is an evolving area and more research is necessary before proposing a regulatory standard, entities are encouraged to design their HAV systems following established best practices for cyber physical vehicle systems. In particular, entities should consider and incorporate guidance, best practices, and design principles published by National Institute for Standards and Technology (NIST), NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers, the Automotive Information Sharing and Analysis Center (Auto-ISAC) and other relevant organizations.
As with safety data, industry sharing on cybersecurity is important. Each industry member should not have to experience the same cyber vulnerabilities in order to learn from them. That is the purpose of the Auto-ISAC, to promote group learning. To that end entities should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research to the Auto-ISAC as soon as possible, regardless of membership. Entities involved with HAVs should consider adopting a vulnerability disclosure policy.”

This afternoon, Intel Security CTO Steve Grobman commented that the choice of cybersecurity guidance reveals an Obama Administration “highly-supportive” of AV technology and the cybersecurity innovation required to protect it:
“In choosing guidance over regulation, the Administration showed itself to be both industry supportive and tech savvy. They’ve focused on best practices and the Auto-ISAC threat analysis and vulnerability sharing between automakers and component manufacturers.
They clearly understand that the critical cybersecurity challenge in self-driving vehicles will be tackling the threats of today and tomorrow—versus the threats of five years ago.
There’s always a concern that government regulations may stifle the ability of innovators to innovate, whereas guidance tends to create an ongoing, constructive, even progressive dialogue between stakeholders.
But one of the greatest challenges of cybersecurity is that a regulation-based approach to protection never keeps up with the rapid pace of a changing cyber-threat landscape. New threats and vulnerabilities come to light each month.
Well-meaning regulatory regimes can force an opportunity cost upon manufacturers, as limited resources best applied to address today’s most critical threats can be spent wrestling with restrictions meant to address older issues long after they are critical security concerns.